IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
AWS EC2 Full Network Packet Capture Detected
editAWS EC2 Full Network Packet Capture Detected
editIdentifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.
Rule type: query
Rule indices:
- filebeat-*
- logs-aws*
Severity: medium
Risk score: 47
Runs every: 10m
Searches indices from: now-60m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- AWS
- Continuous Monitoring
- SecOps
- Network Security
Version: 2
Rule authors:
- Elastic
- Austin Songer
Rule license: Elastic License v2
Investigation guide
edit## Config The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Rule query
editevent.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and event.outcome:success
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
-
Technique:
- Name: Automated Exfiltration
- ID: T1020
- Reference URL: https://attack.mitre.org/techniques/T1020/
-
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
-
Technique:
- Name: Data Staged
- ID: T1074
- Reference URL: https://attack.mitre.org/techniques/T1074/